Oracle issues Out-of-Band Advisory for E-Business Suite (CVE-2022-21500)

On May 19, Oracle released an out-of-band security advisory for its Oracle E-Business Suite product. The advisory was released for CVE-2022-21500, an information disclosure vulnerability with a CVSSv3 score of 7.5. While authentication is required to exploit the vulnerability, the advisory warns that an attacker can self-register, giving them access to the application. According to Oracle, “this vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

The advisory follows a public disclosure of the vulnerability by Orwa Atyat, a bug bounty hunter who described the vulnerability and its impact on his blog. According to Atyat, an attacker can visit an affected E-Business Suite site, create an account and login, then navigate to the Manage Proxies preference option in the settings menu, where the attacker can then run a proxy report which would return a list of users and personal identifiable information (PII) for users registered with the site. In some cases password information may also be obtained by an attacker, however the blog does not elaborate on how the passwords are stored or if they are encrypted. While Atyat did release a blog post publicly disclosing the vulnerability, his name was not listed amongst those credited in the Oracle advisory, which credited eight separate individuals for reporting the vulnerability.

At this time Oracle has only provided mitigation steps which can be applied to “mitigate a potential leak of personally identifiable information (PII).” An upcoming patch is expected to be released on June 15th.

Once a patch has been released a Tenable plugin will be released for the vulnerability. You can use the following link to see product coverage. The link uses a CVE search filter to ensure that coverage will be displayed as it’s available. Tenable Research is continuing to investigate this vulnerability and examine coverage options.